IE 10′s “Do Not Track” default dies quick death

Outrage from advertisers appears to have hobbled Microsoft's renegade plan.

The latest proposed draft of the Do Not Track specification published Wednesday requires that users must choose to turn on the anti-behavioral tracking feature in their browsers and software.

Microsoft IE 10, which the company announced last week, will have Do Not Track turned on by default, and thus won’t be compliant with the official spec. Which means that tech and ad companies who say they comply with Do Not Track could simply ignore the flag set by IE 10 and track those who use that browser, which means Microsoft has no choice but to change the setting.

Microsoft’s surprise announcement last Thursday was interpreted by many as a way to gouge Google, which runs an ad system based on tracking cookies. But it also enraged many online ad companies and industry groups, who saw the move as overly aggressive and a threat to their business model.

The new draft specification (.pdf), which is being worked out by a group of privacy advocates, browser makers, technology firms and online ad companies, now states:

Explicit Consent Requirement

Note: This section was recently added and has not been extensively discussed with stakeholders. Please consider it a preliminary position.

An ordinary user agent MUST NOT send a Tracking Preference signal without a user’s explicit consent.

Example: On first run, the user agent prompts the user to configure the Tracking Preference signal.

If that’s not clear enough, a summary of a working group conference call today sent out later Wednesday made the change clearer:

(1) Today we reaffirmed the group consensus that a user agent MUST NOT set a default of DNT:1 or DNT:0, unless the act of selecting that user agent is itself a choice that expresses the user’s preference for privacy. In all cases, a DNT signal MUST be an expression of a user’s preference. []…]

Implication A: Microsoft IE, as a general purpose user agent, will not be able to claim compliance with DNT once we have a published W3C Recommendation. As a practical matter they can continue their current default settings, since DNT is a voluntary standard in the first place. But if they claim to comply with the W3C Recommendation and do not, that is a matter the FTC (and others) can enforce.

Do Not Track doesn’t attempt to block cookies—instead it is a browser setting that sends a message to every website you visit saying you prefer not to be tracked. That flag is currently optional for sites and Web advertising firms to obey, but it’s gaining momentum with Twitter embracing it late last month.

The proposal also has the backing of the FTC, which has grown deeply skeptical of the online ad industry’s willingness to play fairly with users and has threatened to call for online privacy legislation. After initially opposing the idea, the online ad industry is now seeking to soothe the feds by hammering out rules that aren’t too tough on data collection. The hope then is that not many users avail themselves of the tool, and then not much has to change in how ad companies build profiles of users in order to sell premium-priced targeted ads.

But Microsoft’s announcement threw a wrench in those plans, since it’s likely that eventually something like 25 percent or more of the 'Net’s users will upgrade to IE 10 over time and would then have DNT on by default.

Privacy researcher Jonathan Mayer, one of the spec’s authors, announced the newest draft spec Wednesday, saying that the group had made much progress and that privacy groups had made large compromises on the final three sticking points, which included the question of default settings for browsers.

"As you review the draft, please recognize that it is a compromise proposal," Mayer wrote. "The document is not a retread of well-worn positions; it reflects extraordinarily painful cuts for privacy-leaning stakeholders, including complete concessions on two of the three central issues. Some participants have already indicated that they believe the proposal goes too far and are unwilling to support it."

The final three issues he identified are:

May a user agent enable Do Not Track by default?

May a website share its information with corporate affiliates?

May a third-party website continue to set tracking cookies (or use an equivalent technology for collecting a user’s browsing history)?

All of which means that there’s no likelihood now that Microsoft IE 10, or any other browser, will ship with DNT turned on by default, though they could come with a very easy way for users to turn it on. And there’s also nothing in the specification that would prohibit browsers from blocking tracking cookies by default by refusing "third-party" cookies, as Apple’s Safari browser has done for years.

But the lifetime of a browser with DNT turned on by default is clearly measured in internet time. IE 10 with DNT turned on lived for six days before getting its death sentence.

It was a pretty dumb idea to have it turned on in the first place, really. If everyone's telling a site the same thing without even knowing it, the entire idea of DNT would lose its meaning and weight.

I say have your browser ask the first time it is run after the feature is added if you want to be tracked. Make it a simple to understand yes or no question asked at first run. I would say yes turn on DNT when asked or as soon as I can.

I suspect they want the installer to specifically ASK at the time you install the browser whether or not you want tracking turned on or off. But, yeah, my feeling was that Do Not Track should be turned on by default BY LAW, and that one should be expected to OPT INTO tracking. Clearly the ad industry wants it the other way, though. What.... a.... surprise. oO

To be blunt, it shouldn't be the ad industry setting the terms here. If they had their way, likely there wouldn't be ANY restrictions on tracking.

How long till Microsoft are forced to remove anti virus and backup stuff to help out other companies.

How is it helping people to take a feature that looks very much like it will help a small number of people and completely cripple it so it helps no one? The W3C are definitely right here. Leaving it on by default would just mean everyone got tracked.

This will result in another case of the ad industry (and that includes site owners) screwing itself.

First it was adblockers. If everybody had been content with one or two static banners, people wouldn't have bothered with adblockers. But no, ads have to be intrusive, distracting, annoying. Now they lament how people surf without seeing any ads but you gotta ask: what did you expect?

Next up it's cookies. Tracking had to be exploited big time, until it reached more or less public conscience. And now they panic.

It was a pretty dumb idea to have it turned on in the first place, really. If everyone's telling a site the same thing without even knowing it, the entire idea of DNT would lose its meaning and weight.

Letting someone track what others do should be opt in and not opt out.

I say have your browser ask the first time it is run after the feature is added if you want to be tracked. Make it a simple to understand yes or no question asked at first run. I would say yes turn on DNT when asked or as soon as I can.

Just like the browser ballot.....it's a good idea, but I don't know if it will work in practice. I'm not sure I see Microsoft shipping software that asks the following the first time you launch it:

Future DNT Browser Ballot wrote:

Welcome to Internet Explorer!

To begin, we need to ask a few short questions to maximize your enjoyment of the Internet Experience (IE).

First: Would you like random individuals on the Internet to be able to track your viewing history, in order to better provide you with targeted advertisements which you may or may not desire?

(*) Yes, please allow my usage to be tracked and reported (leave DNT off)(*) No, I do not want to be tracked by random persons and companies on the Internet.

It just doesn't seem to fit their brand image. On the other hand, I could see GoDaddy asking this the first time a user logged into their browser, if they made one.

Given the speed standards negotiations tend to go it strikes me as unlikely that this position wasn't more or less settled a week ago, or at least looking like the most likely outcome, and that Microsoft knew this before they published the IE 10 DNT announcement.

If that's the case what was the point of that announcement? Heroic last-ditch attempt to derail this? Cynical attempt to get some positive press for something they knew full well they were going to be "forced" not to do. Something else?

Even if you turn it on, there is absolutely nothing it can do to stop websites from tracking you. It's akin to your browser sending a message that says "pretty please don't track me and I'll cross my fingers and pray that you listen to me".

To be honest, I'm not sure why people are wasting time with this. It's got "failure" written all over it.

The DNT flag is totally worthless. Obeying it is optional and the people with al the power in this situation are the advertisers. Unless DNT is implemented properly, by actually masking all the trackable data available to the web server or by legally mandating support of the opt-out flag this entire subjects is a waste of time.

Advertisers themselves should not be a part of thus discussion. You don't leave a cat in charge of the safety of a group of mice.

This will result in another case of the ad industry (and that includes site owners) screwing itself.

First it was adblockers. If everybody had been content with one or two static banners, people wouldn't have bothered with adblockers. But no, ads have to be intrusive, distracting, annoying. Now they lament how people surf without seeing any ads but you gotta ask: what did you expect?

Next up it's cookies. Tracking had to be exploited big time, until it reached more or less public conscience. And now they panic.

The advertisers could ignore the DNT flag no matter what, at this point, its ALL optional. So I would hope Microsoft enables the DNT flag by default. Eventually if there are laws passed that require advertisers to NOT ignore the DNT flag, it won't matter if it was enabled by default, its still enabled.

The solution of course is Microsoft and others all come to agreement, and they ALL enable the DNT flag by default, specificiations be damned. Eventually what would happen is Chrome would be forced to enabled it by default and the specifications will be simply changed.

Would someone with some bonus coding experience please write a little add-on or something that allows one to trick trackers into seeing nothing but their own site and oh, I don't know, goatse, or something?

Adblock + noscript to the rescue. Why do "advertisers" automatically assume that just because they have a business model, that it should be "protected" by it's inherent and natural limitations? We live in a society so commercialized that the baseline standard is now to gouge people by default, unless they shop around; things that are on "sale" are usually just items reduced to a fair markup price; telecom and software companies are becoming almost exclusively fixed on "open-wallet" business models whereby their products are often nothing more than an excuse to keep a siphon attached to your wallet/bank account.

Honor in business is apparently becoming too expensive.

Well, that was a bit ranty. But my point is that consumers are increasingly being taken advantage of and disrespected on so many different commercial levels that it is becoming increasingly difficult to respect the companies on the other end.

When has Microsoft EVER cared about having compliant implementations of anything?

Beat me to it. IE6, anyone?

Daemonworks wrote:

Wait, it can't be set, by default, to be either on or off... What is this, shroedinger's tracking? It's neither on or off until you check...

By my understanding, it's not allowed to send something explicitly one way or the other.

Example: You're ordering a shirt from a shop, and you're allowed a choice between a red one or a blue one. If you don't state your preference (e.g. "Just give me a shirt.") then it's up to the clerk to decide whether to A) ask you for clarification, or B) just make the choice for you and grab the color he thinks looks best.

So those who don't want to be targeted.. Maybe it's because I'm older than 23, but I fail to see the big problem of an automatic system calculating which ad might be more relevant to me based on my browsing behavior.

I ignore most ads anyway (with my eyes and in my mind, not any browser settings) and if a site wants to know what user g2eh_awe8241adfg8sad does on their site I really don't care one bit.

DoNotTrack was notthing more than a "please don't investigate us" sop anyway. I mean look at the damn thing, if it was done right the proposal would be "don't track me across websites unless the browser explicitly sends a TRACK token".

Wait, it can't be set, by default, to be either on or off... What is this, shroedinger's tracking? It's neither on or off until you check...

What I take from this is that it is against the regulations to have a DNT:1 or a DNT:0 flag set in the header by default, without a user choosing either way. The flag simply cannot be present.

This does make sense for the sake of measuring uptake of it - if 35% of people choose to be tracked and 65% of people choose not to out of only 5% of user agent strings on the 'net, it shows only a tiny fraction of people bother using the setting either way. If it was set to DNT:0 by default, it would look like the setting is being far more widely utilized and that (more) people are expressly giving their permission to have these tracking references saved.

It's a small but important difference that separates willing tracking allowance with simple ignorance that the setting exists at all.

Internet advertising is a bit of a conundrum for companies depending on it for revenues. We all love the free services those companies provide, but the bills have to be paid one way or another. On one side we have a need for personal information to ensure accurate, targeted ads which generate higher returns. On the other side we have a need for protecting personal privacy. It’s a tough balancing act.

Personally, I see great value in having ads that are more relevant to me. I would much rather see ads for something I actually want to buy rather than some generic scattershot ad for something that I’d never purchase. And with that comes a higher return on investment. That also means that sites and services that I use and love could continue to pay the bills and provide their services.

That said, I’m not sure I’m totally comfortable with them knowing a wide variety of actual details of my life. If I had diabetes for example, I’m not sure I’d want an advertising company knowing that even though they might be able to display cheaper medical supplies. Or if I’m searching for diabetic supplies, is it ok for them to “profile” me as a possible diabetic? That seems like it might touch upon protected personal medical information.

There’s a line somewhere, likely a little different for everyone, that needs to be drawn and that’s the hard part. DNT seems like an attempt to draw that line, but it’s certainly not perfect. And all the various companies involved are trying to balance on it.